Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # MalwareMustDie!! Analysis of ELF Malware.
- $ whoami; date
- unixfreaxjp
- Wed Mar 19 21:15:54 JST 2014
- filename: Host.out
- -rwxr--r-- 1 xxx xxx 56200 Mar 19 18:51 ./Host.out*
- Hash:
- MD5 43adeb1ab71fae57b1993b51a6a8465b
- SHA1 8bb226c54708599b2b0a9a933acc7b2f98648897
- SHA256 a07821d1b6471a6f0d0587089635c2de27df22f041605ee5e6b2420af3a6675e
- VT (1/50): https://www.virustotal.com/en/file/a07821d1b6471a6f0d0587089635c2de27df22f041605ee5e6b2420af3a6675e/analysis/
- On:
- $ uname -a
- FreeBSD unixfreaxjp 9.1-RELEASE-p5 FreeBSD 9.1-RELEASE-p5 #0: Sat Jul 27 01:01:40 UTC 2013
- =================
- STATIC
- =================
- ./Host.out: ELF 32-bit LSB executable,
- Intel 80386, version 1 (SYSV),
- dynamically linked (uses shared libs),
- BuildID[sha1]=0x6a4deb59e2dafed21178a06a3344e755a24c81ba, stripped
- $
- ELF Header:
- Magic: 7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00
- Class: ELF32
- Data: 2's complement, little endian
- Version: 1 (current)
- OS/ABI: UNIX - System V
- ABI Version: 0
- Type: EXEC (Executable file)
- Machine: Intel 80386
- Version: 0x1
- Entry point address: 0x8049dcb
- Start of program headers: 52 (bytes into file)
- Start of section headers: 55360 (bytes into file)
- Flags: 0x0
- Size of this header: 52 (bytes)
- Size of program headers: 32 (bytes)
- Number of program headers: 9
- Size of section headers: 40 (bytes)
- Number of section headers: 21
- Section header string table index: 20
- 00000000 7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00 |.ELF............|
- 00000010 02 00 03 00 01 00 00 00 cb 9d 04 08 34 00 00 00 |............4...|
- 00000020 40 d8 00 00 00 00 00 00 34 00 20 00 09 00 28 00 |@.......4. ...(.|
- 00000030 15 00 14 00 06 00 00 00 34 00 00 00 34 80 04 08 |........4...4...|
- 00000040 34 80 04 08 20 01 00 00 20 01 00 00 05 00 00 00 |4... ... .......|
- 00000050 04 00 00 00 03 00 00 00 54 01 00 00 54 81 04 08 |........T...T...|
- 00000060 54 81 04 08 13 00 00 00 13 00 00 00 04 00 00 00 |T...............|
- 00000070 01 00 00 00 01 00 00 00 00 00 00 00 00 80 04 08 |................|
- 00000080 00 80 04 08 78 c8 00 00 78 c8 00 00 05 00 00 00 |....x...x.......|
- 00000090 00 10 00 00 01 00 00 00 3c cf 00 00 3c 5f 05 08 |........<...<_..|
- 000000a0 3c 5f 05 08 fc 07 00 00 64 53 00 00 06 00 00 00 |<_......dS......|
- 000000b0 00 10 00 00 02 00 00 00 3c cf 00 00 3c 5f 05 08 |........<...<_..|
- 000000c0 3c 5f 05 08 b8 00 00 00 b8 00 00 00 06 00 00 00 |<_..............|
- 000000d0 04 00 00 00 04 00 00 00 68 01 00 00 68 81 04 08 |........h...h...|
- 000000e0 68 81 04 08 24 00 00 00 24 00 00 00 04 00 00 00 |h...$...$.......|
- 000000f0 04 00 00 00 50 e5 74 64 28 c8 00 00 28 48 05 08 |....P.td(...(H..|
- 00000100 [...]
- There are 21 section headers, starting at offset 0xd840:
- Section Headers:
- [Nr] Name Type Addr Off Size ES Flg Lk Inf Al
- [ 0] NULL 00000000 000000 000000 00 0 0 0
- [ 1] .interp PROGBITS 08048154 000154 000013 00 A 0 0 1
- [ 2] .note.gnu.build-i NOTE 08048168 000168 000024 00 A 0 0 4
- [ 3] .hash HASH 0804818c 00018c 000238 04 A 5 0 4
- [ 4] .gnu.hash GNU_HASH 080483c4 0003c4 000018 04 A 5 0 4
- [ 5] .dynsym DYNSYM 080483dc 0003dc 000490 10 A 6 1 4
- [ 6] .dynstr STRTAB 0804886c 00086c 000251 00 A 0 0 1
- [ 7] .gnu.version VERSYM 08048abe 000abe 000092 02 A 5 0 2
- [ 8] .gnu.version_r VERNEED 08048b50 000b50 000090 00 A 6 3 4
- [ 9] .rel.plt REL 08048be0 000be0 000240 08 A 5 10 4
- [10] .plt PROGBITS 08048e20 000e20 000490 04 AX 0 0 16
- [11] .text PROGBITS 080492b0 0012b0 00aa32 00 AX 0 0 16
- [12] .rodata PROGBITS 08053ce8 00bce8 000b3e 00 A 0 0 8
- [13] .eh_frame_hdr PROGBITS 08054828 00c828 000014 00 A 0 0 4
- [14] .eh_frame PROGBITS 0805483c 00c83c 00003c 00 A 0 0 4
- [15] .dynamic DYNAMIC 08055f3c 00cf3c 0000b8 08 WA 6 0 4
- [16] .got.plt PROGBITS 08055ff4 00cff4 00012c 04 WA 0 0 4
- [17] .data PROGBITS 08056120 00d120 000618 00 WA 0 0 4
- [18] .bss NOBITS 08056738 00d738 004b68 00 WA 0 0 4
- [19] .comment PROGBITS 00000000 00d738 000056 01 MS 0 0 1
- [20] .shstrtab STRTAB 00000000 00d78e 0000b1 00 0 0 1
- Key to Flags:
- W (write), A (alloc), X (execute), M (merge), S (strings)
- I (info), L (link order), G (group), x (unknown)
- O (extra OS processing required) o (OS specific), p (processor specific)
- Relocation section '.rel.plt' at offset 0xbe0
- contains "AGGRESIVE" 20 of 72 entries:
- Offset Info Type Sym.Value Sym. Name
- 08056000 00000107 R_386_JUMP_SLOT 00000000 setsockopt
- 08056004 00000207 R_386_JUMP_SLOT 00000000 pthread_mutex_unlock
- 08056008 00000307 R_386_JUMP_SLOT 00000000 read
- 0805600c 00000407 R_386_JUMP_SLOT 00000000 getpwuid
- 08056010 00000507 R_386_JUMP_SLOT 00000000 dup
- 08056014 00000607 R_386_JUMP_SLOT 00000000 free
- 08056018 00000707 R_386_JUMP_SLOT 00000000 fgets
- 0805601c 00000807 R_386_JUMP_SLOT 00000000 fclose
- 08056020 00000907 R_386_JUMP_SLOT 00000000 rmdir
- 08056024 00000a07 R_386_JUMP_SLOT 00000000 time
- 08056028 00000b07 R_386_JUMP_SLOT 00000000 select
- 0805602c 00000c07 R_386_JUMP_SLOT 00000000 chdir
- 08056030 00000d07 R_386_JUMP_SLOT 00000000 endutxent
- 08056034 00000e07 R_386_JUMP_SLOT 00000000 execlp
- 08056038 00000f07 R_386_JUMP_SLOT 00000000 dlclose
- 0805603c 00001007 R_386_JUMP_SLOT 00000000 sysconf
- 08056040 00001107 R_386_JUMP_SLOT 00000000 geteuid
- 08056044 00001207 R_386_JUMP_SLOT 00000000 pthread_mutex_lock
- 08056048 00001307 R_386_JUMP_SLOT 00000000 unlink
- 0805604c 00001407 R_386_JUMP_SLOT 00000000 readlink
- 08056050 00001507 R_386_JUMP_SLOT 00000000 fseek
- 08056054 00001607 R_386_JUMP_SLOT 00000000 __xstat
- 08056058 00001707 R_386_JUMP_SLOT 00000000 fwrite
- 0805605c 00001807 R_386_JUMP_SLOT 00000000 waitpid
- 08056060 00001907 R_386_JUMP_SLOT 00000000 usleep
- 08056064 00001a07 R_386_JUMP_SLOT 00000000 fread
- 08056068 00001b07 R_386_JUMP_SLOT 00000000 getpid
- 0805606c 00001c07 R_386_JUMP_SLOT 00000000 gethostname <=====
- 08056070 00001d07 R_386_JUMP_SLOT 00000000 getenv <=====
- 08056074 00001e07 R_386_JUMP_SLOT 00000000 realloc
- 08056078 00001f07 R_386_JUMP_SLOT 00000000 malloc
- 0805607c 00002007 R_386_JUMP_SLOT 00000000 sysinfo <=====
- 08056080 00002107 R_386_JUMP_SLOT 00000000 getutxent <=====
- 08056084 00002207 R_386_JUMP_SLOT 00000000 exit
- 08056088 00002307 R_386_JUMP_SLOT 00000000 kill <=====
- 0805608c 00002407 R_386_JUMP_SLOT 00000000 open
- 08056090 00002507 R_386_JUMP_SLOT 00000000 setsid <=====
- 08056094 00002607 R_386_JUMP_SLOT 00000000 localtime <=====
- 08056098 00002707 R_386_JUMP_SLOT 00000000 rename <=====
- 0805609c 00002807 R_386_JUMP_SLOT 00000000 write <=====
- 080560a0 00002907 R_386_JUMP_SLOT 00000000 execv <=====
- 080560a4 00002a07 R_386_JUMP_SLOT 00000000 fcntl
- 080560a8 00002b07 R_386_JUMP_SLOT 00000000 dlsym
- 080560ac 00002c07 R_386_JUMP_SLOT 00000000 ftell
- 080560b0 00002d07 R_386_JUMP_SLOT 00000000 fopen
- 080560b4 00002e07 R_386_JUMP_SLOT 00000000 gmtime
- 080560b8 00002f07 R_386_JUMP_SLOT 00000000 mkdir
- 080560bc 00003007 R_386_JUMP_SLOT 00000000 snprintf
- 080560c0 00003107 R_386_JUMP_SLOT 00000000 __errno_location
- 080560c4 00003207 R_386_JUMP_SLOT 00000000 asprintf
- 080560c8 00003307 R_386_JUMP_SLOT 00000000 ldiv
- 080560cc 00003407 R_386_JUMP_SLOT 00000000 pipe
- 080560d0 00003507 R_386_JUMP_SLOT 00000000 access
- 080560d4 00003607 R_386_JUMP_SLOT 00000000 fork
- 080560d8 00003707 R_386_JUMP_SLOT 00000000 readdir
- 080560dc 00003807 R_386_JUMP_SLOT 00000000 sscanf <=====
- 080560e0 00003907 R_386_JUMP_SLOT 00000000 gmtime_r
- 080560e4 00003a07 R_386_JUMP_SLOT 00000000 setutxent <=====
- 080560e8 00003b07 R_386_JUMP_SLOT 00000000 dlopen
- 080560ec 00003c07 R_386_JUMP_SLOT 00000000 socket
- 080560f0 00003d07 R_386_JUMP_SLOT 00000000 pthread_create
- 080560f4 00003e07 R_386_JUMP_SLOT 00000000 __lxstat
- 080560f8 00003f07 R_386_JUMP_SLOT 00000000 chmod <=====
- 080560fc 00004007 R_386_JUMP_SLOT 00000000 umask
- 08056100 00004107 R_386_JUMP_SLOT 00000000 gethostbyname <=====
- 08056104 00004207 R_386_JUMP_SLOT 00000000 shutdown <=====
- 08056108 00004307 R_386_JUMP_SLOT 00000000 connect <=====
- 0805610c 00004407 R_386_JUMP_SLOT 00000000 recv <=====
- 08056110 00004507 R_386_JUMP_SLOT 00000000 close <=====
- 08056114 00004607 R_386_JUMP_SLOT 00000000 closedir <=====
- 08056118 00004707 R_386_JUMP_SLOT 00000000 opendir
- 0805611c 00004807 R_386_JUMP_SLOT 00000000 send <=====
- Elf file type is EXEC (Executable file)
- Entry point 0x8049dcb
- There are 9 program headers, starting at offset 52
- Program Headers:
- Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align
- PHDR 0x000034 0x08048034 0x08048034 0x00120 0x00120 R E 0x4
- INTERP 0x000154 0x08048154 0x08048154 0x00013 0x00013 R 0x1
- [Requesting program interpreter: /lib/ld-linux.so.2]
- LOAD 0x000000 0x08048000 0x08048000 0x0c878 0x0c878 R E 0x1000
- LOAD 0x00cf3c 0x08055f3c 0x08055f3c 0x007fc 0x05364 RW 0x1000
- DYNAMIC 0x00cf3c 0x08055f3c 0x08055f3c 0x000b8 0x000b8 RW 0x4
- NOTE 0x000168 0x08048168 0x08048168 0x00024 0x00024 R 0x4
- GNU_EH_FRAME 0x00c828 0x08054828 0x08054828 0x00014 0x00014 R 0x4
- GNU_STACK 0x000000 0x00000000 0x00000000 0x00000 0x00000 RW 0x4
- GNU_RELRO 0x00cf3c 0x08055f3c 0x08055f3c 0x000c4 0x000c4 R 0x1
- Section to Segment mapping:
- Segment Sections...
- 00
- 01 .interp
- 02 .interp .note.gnu.build-id .hash .gnu.hash .dynsym .dynstr .gnu.version
- .gnu.version_r .rel.plt .plt .text .rodata .eh_frame_hdr .eh_frame
- 03 .dynamic .got.plt .data .bss
- 04 .dynamic
- 05 .note.gnu.build-id
- 06 .eh_frame_hdr
- 07
- 08 .dynamic
- Dynamic section at offset 0xcf3c contains 18 entries:
- Tag Type Name/Value
- 0x00000001 (NEEDED) Shared library: [libdl.so.2]
- 0x00000001 (NEEDED) Shared library: [libpthread.so.0]
- 0x00000001 (NEEDED) Shared library: [libc.so.6]
- 0x00000004 (HASH) 0x804818c
- 0x6ffffef5 (GNU_HASH) 0x80483c4
- 0x00000005 (STRTAB) 0x804886c
- 0x00000006 (SYMTAB) 0x80483dc
- 0x0000000a (STRSZ) 593 (bytes)
- 0x0000000b (SYMENT) 16 (bytes)
- 0x00000015 (DEBUG) 0x0
- 0x00000003 (PLTGOT) 0x8055ff4
- 0x00000002 (PLTRELSZ) 576 (bytes)
- 0x00000014 (PLTREL) REL
- 0x00000017 (JMPREL) 0x8048be0
- 0x6ffffffe (VERNEED) 0x8048b50
- 0x6fffffff (VERNEEDNUM) 3
- 0x6ffffff0 (VERSYM) 0x8048abe
- 0x00000000 (NULL) 0x0
- Symbol table '.dynsym' contains 73 entries:
- Num: Value Size Type Bind Vis Ndx Name
- 0: 00000000 0 NOTYPE LOCAL DEFAULT UND
- 1: 00000000 0 FUNC GLOBAL DEFAULT UND setsockopt@GLIBC_2.0 (2)
- 2: 00000000 0 FUNC GLOBAL DEFAULT UND pthread_mutex_unlock@GLIBC_2.0 (3)
- 3: 00000000 0 FUNC GLOBAL DEFAULT UND read@GLIBC_2.0 (3)
- 4: 00000000 0 FUNC GLOBAL DEFAULT UND getpwuid@GLIBC_2.0 (2)
- 5: 00000000 0 FUNC GLOBAL DEFAULT UND dup@GLIBC_2.0 (2)
- 6: 00000000 0 FUNC GLOBAL DEFAULT UND free@GLIBC_2.0 (2)
- 7: 00000000 0 FUNC GLOBAL DEFAULT UND fgets@GLIBC_2.0 (2)
- 8: 00000000 0 FUNC GLOBAL DEFAULT UND fclose@GLIBC_2.1 (4)
- 9: 00000000 0 FUNC GLOBAL DEFAULT UND rmdir@GLIBC_2.0 (2)
- 10: 00000000 0 FUNC GLOBAL DEFAULT UND time@GLIBC_2.0 (2)
- 11: 00000000 0 FUNC GLOBAL DEFAULT UND select@GLIBC_2.0 (2)
- 12: 00000000 0 FUNC GLOBAL DEFAULT UND chdir@GLIBC_2.0 (2)
- 13: 00000000 0 FUNC GLOBAL DEFAULT UND endutxent@GLIBC_2.1 (4)
- 14: 00000000 0 FUNC GLOBAL DEFAULT UND execlp@GLIBC_2.0 (2)
- 15: 00000000 0 FUNC GLOBAL DEFAULT UND dlclose@GLIBC_2.0 (5)
- 16: 00000000 0 FUNC GLOBAL DEFAULT UND sysconf@GLIBC_2.0 (2)
- 17: 00000000 0 FUNC GLOBAL DEFAULT UND geteuid@GLIBC_2.0 (2)
- 18: 00000000 0 FUNC GLOBAL DEFAULT UND pthread_mutex_lock@GLIBC_2.0 (3)
- 19: 00000000 0 FUNC GLOBAL DEFAULT UND unlink@GLIBC_2.0 (2)
- 20: 00000000 0 FUNC GLOBAL DEFAULT UND readlink@GLIBC_2.0 (2)
- 21: 00000000 0 FUNC GLOBAL DEFAULT UND fseek@GLIBC_2.0 (2)
- 22: 00000000 0 FUNC GLOBAL DEFAULT UND __xstat@GLIBC_2.0 (2)
- 23: 00000000 0 FUNC GLOBAL DEFAULT UND fwrite@GLIBC_2.0 (2)
- 24: 00000000 0 FUNC GLOBAL DEFAULT UND waitpid@GLIBC_2.0 (3)
- 25: 00000000 0 FUNC GLOBAL DEFAULT UND usleep@GLIBC_2.0 (2)
- 26: 00000000 0 FUNC GLOBAL DEFAULT UND fread@GLIBC_2.0 (2)
- 27: 00000000 0 FUNC GLOBAL DEFAULT UND getpid@GLIBC_2.0 (2)
- 28: 00000000 0 FUNC GLOBAL DEFAULT UND gethostname@GLIBC_2.0 (2)
- 29: 00000000 0 FUNC GLOBAL DEFAULT UND getenv@GLIBC_2.0 (2)
- 30: 00000000 0 FUNC GLOBAL DEFAULT UND realloc@GLIBC_2.0 (2)
- 31: 00000000 0 FUNC GLOBAL DEFAULT UND malloc@GLIBC_2.0 (2)
- 32: 00000000 0 FUNC GLOBAL DEFAULT UND sysinfo@GLIBC_2.0 (2)
- 33: 00000000 0 FUNC GLOBAL DEFAULT UND getutxent@GLIBC_2.1 (4)
- 34: 00000000 0 FUNC GLOBAL DEFAULT UND exit@GLIBC_2.0 (2)
- 35: 00000000 0 FUNC GLOBAL DEFAULT UND kill@GLIBC_2.0 (2)
- 36: 00000000 0 FUNC GLOBAL DEFAULT UND open@GLIBC_2.0 (3)
- 37: 00000000 0 FUNC GLOBAL DEFAULT UND setsid@GLIBC_2.0 (2)
- 24: 00000000 0 FUNC GLOBAL DEFAULT UND waitpid@GLIBC_2.0 (3)
- 25: 00000000 0 FUNC GLOBAL DEFAULT UND usleep@GLIBC_2.0 (2)
- 26: 00000000 0 FUNC GLOBAL DEFAULT UND fread@GLIBC_2.0 (2)
- 27: 00000000 0 FUNC GLOBAL DEFAULT UND getpid@GLIBC_2.0 (2)
- 28: 00000000 0 FUNC GLOBAL DEFAULT UND gethostname@GLIBC_2.0 (2)
- 29: 00000000 0 FUNC GLOBAL DEFAULT UND getenv@GLIBC_2.0 (2)
- 30: 00000000 0 FUNC GLOBAL DEFAULT UND realloc@GLIBC_2.0 (2)
- 31: 00000000 0 FUNC GLOBAL DEFAULT UND malloc@GLIBC_2.0 (2)
- 32: 00000000 0 FUNC GLOBAL DEFAULT UND sysinfo@GLIBC_2.0 (2)
- 33: 00000000 0 FUNC GLOBAL DEFAULT UND getutxent@GLIBC_2.1 (4)
- 34: 00000000 0 FUNC GLOBAL DEFAULT UND exit@GLIBC_2.0 (2)
- 35: 00000000 0 FUNC GLOBAL DEFAULT UND kill@GLIBC_2.0 (2)
- 36: 00000000 0 FUNC GLOBAL DEFAULT UND open@GLIBC_2.0 (3)
- 37: 00000000 0 FUNC GLOBAL DEFAULT UND setsid@GLIBC_2.0 (2)
- 38: 00000000 0 FUNC GLOBAL DEFAULT UND localtime@GLIBC_2.0 (2)
- 39: 00000000 0 FUNC GLOBAL DEFAULT UND rename@GLIBC_2.0 (2)
- 40: 00000000 0 FUNC GLOBAL DEFAULT UND write@GLIBC_2.0 (3)
- 41: 00000000 0 FUNC GLOBAL DEFAULT UND execv@GLIBC_2.0 (2)
- 42: 00000000 0 FUNC GLOBAL DEFAULT UND fcntl@GLIBC_2.0 (3)
- 43: 00000000 0 FUNC GLOBAL DEFAULT UND dlsym@GLIBC_2.0 (5)
- 44: 00000000 0 FUNC GLOBAL DEFAULT UND ftell@GLIBC_2.0 (2)
- 45: 00000000 0 FUNC GLOBAL DEFAULT UND fopen@GLIBC_2.1 (4)
- 46: 00000000 0 FUNC GLOBAL DEFAULT UND gmtime@GLIBC_2.0 (2)
- 47: 00000000 0 FUNC GLOBAL DEFAULT UND mkdir@GLIBC_2.0 (2)
- 48: 00000000 0 FUNC GLOBAL DEFAULT UND snprintf@GLIBC_2.0 (2)
- 49: 00000000 0 FUNC GLOBAL DEFAULT UND __errno_location@GLIBC_2.0 (3)
- 50: 00000000 0 FUNC GLOBAL DEFAULT UND asprintf@GLIBC_2.0 (2)
- 51: 00000000 0 FUNC GLOBAL DEFAULT UND ldiv@GLIBC_2.0 (2)
- 52: 00000000 0 FUNC GLOBAL DEFAULT UND pipe@GLIBC_2.0 (2)
- 53: 00000000 0 FUNC GLOBAL DEFAULT UND access@GLIBC_2.0 (2)
- 54: 00000000 0 FUNC GLOBAL DEFAULT UND fork@GLIBC_2.0 (3)
- 55: 00000000 0 FUNC GLOBAL DEFAULT UND readdir@GLIBC_2.0 (2)
- 56: 00000000 0 FUNC GLOBAL DEFAULT UND sscanf@GLIBC_2.0 (2)
- 57: 00000000 0 FUNC GLOBAL DEFAULT UND gmtime_r@GLIBC_2.0 (2)
- 58: 00000000 0 FUNC GLOBAL DEFAULT UND setutxent@GLIBC_2.1 (4)
- 59: 00000000 0 FUNC GLOBAL DEFAULT UND dlopen@GLIBC_2.1 (6)
- 60: 00000000 0 FUNC GLOBAL DEFAULT UND socket@GLIBC_2.0 (2)
- 61: 00000000 0 FUNC GLOBAL DEFAULT UND pthread_create@GLIBC_2.1 (7)
- 62: 00000000 0 FUNC GLOBAL DEFAULT UND __lxstat@GLIBC_2.0 (2)
- 63: 00000000 0 FUNC GLOBAL DEFAULT UND chmod@GLIBC_2.0 (2)
- 64: 00000000 0 FUNC GLOBAL DEFAULT UND umask@GLIBC_2.0 (2)
- 65: 00000000 0 FUNC GLOBAL DEFAULT UND gethostbyname@GLIBC_2.0 (2)
- 66: 00000000 0 FUNC GLOBAL DEFAULT UND shutdown@GLIBC_2.0 (2)
- 67: 00000000 0 FUNC GLOBAL DEFAULT UND connect@GLIBC_2.0 (3)
- 68: 00000000 0 FUNC GLOBAL DEFAULT UND recv@GLIBC_2.0 (3)
- 69: 00000000 0 FUNC GLOBAL DEFAULT UND close@GLIBC_2.0 (3)
- 70: 00000000 0 FUNC GLOBAL DEFAULT UND closedir@GLIBC_2.0 (2)
- 71: 00000000 0 FUNC GLOBAL DEFAULT UND opendir@GLIBC_2.0 (2)
- 72: 00000000 0 FUNC GLOBAL DEFAULT UND send@GLIBC_2.0 (3)
- Version needs section '.gnu.version_r' contains 3 entries:
- Addr: 0x0000000008048b50 Offset: 0x000b50 Link to section: 6 (.dynstr)
- 000000: Version: 1 File: libdl.so.2 Cnt: 2
- 0x0010: Name: GLIBC_2.1 Flags: none Version: 6
- 0x0020: Name: GLIBC_2.0 Flags: none Version: 5
- 0x0030: Version: 1 File: libpthread.so.0 Cnt: 2
- 0x0040: Name: GLIBC_2.1 Flags: none Version: 7
- 0x0050: Name: GLIBC_2.0 Flags: none Version: 3
- 0x0060: Version: 1 File: libc.so.6 Cnt: 2
- 0x0070: Name: GLIBC_2.1 Flags: none Version: 4
- 0x0080: Name: GLIBC_2.0 Flags: none Version: 2
- Sections:
- Idx Name Size VMA LMA File off Algn
- 0 .interp 00000013 08048154 08048154 00000154 2**0
- CONTENTS, ALLOC, LOAD, READONLY, DATA
- 1 .note.gnu.build-id 00000024 08048168 08048168 00000168 2**2
- CONTENTS, ALLOC, LOAD, READONLY, DATA
- 2 .hash 00000238 0804818c 0804818c 0000018c 2**2
- CONTENTS, ALLOC, LOAD, READONLY, DATA
- 3 .gnu.hash 00000018 080483c4 080483c4 000003c4 2**2
- CONTENTS, ALLOC, LOAD, READONLY, DATA
- 4 .dynsym 00000490 080483dc 080483dc 000003dc 2**2
- CONTENTS, ALLOC, LOAD, READONLY, DATA
- 5 .dynstr 00000251 0804886c 0804886c 0000086c 2**0
- CONTENTS, ALLOC, LOAD, READONLY, DATA
- 6 .gnu.version 00000092 08048abe 08048abe 00000abe 2**1
- CONTENTS, ALLOC, LOAD, READONLY, DATA
- 7 .gnu.version_r 00000090 08048b50 08048b50 00000b50 2**2
- CONTENTS, ALLOC, LOAD, READONLY, DATA
- 8 .rel.plt 00000240 08048be0 08048be0 00000be0 2**2
- CONTENTS, ALLOC, LOAD, READONLY, DATA
- 9 .plt 00000490 08048e20 08048e20 00000e20 2**4
- CONTENTS, ALLOC, LOAD, READONLY, CODE
- 10 .text 0000aa32 080492b0 080492b0 000012b0 2**4
- CONTENTS, ALLOC, LOAD, READONLY, CODE
- 11 .rodata 00000b3e 08053ce8 08053ce8 0000bce8 2**3
- CONTENTS, ALLOC, LOAD, READONLY, DATA
- 12 .eh_frame_hdr 00000014 08054828 08054828 0000c828 2**2
- CONTENTS, ALLOC, LOAD, READONLY, DATA
- 13 .eh_frame 0000003c 0805483c 0805483c 0000c83c 2**2
- CONTENTS, ALLOC, LOAD, READONLY, DATA
- 14 .dynamic 000000b8 08055f3c 08055f3c 0000cf3c 2**2
- CONTENTS, ALLOC, LOAD, DATA
- 15 .got.plt 0000012c 08055ff4 08055ff4 0000cff4 2**2
- CONTENTS, ALLOC, LOAD, DATA
- 16 .data 00000618 08056120 08056120 0000d120 2**2
- CONTENTS, ALLOC, LOAD, DATA
- 17 .bss 00004b68 08056738 08056738 0000d738 2**2
- ALLOC
- 18 .comment 00000056 00000000 00000000 0000d738 2**0
- CONTENTS, READONLY
- =================
- HEURISTIC
- =================
- $ suspicous_strings sample:
- // Backconnect....
- FCONNECT %s:%d HTTP/1.0
- 200 OK
- %s%s
- %.2d/%.2d/%d %.2d:%.2d:%.2d
- %llu
- %s/%s
- http://%s%s
- GET %s HTTP/1.1
- Host: %s
- Connection: close
- // Shell
- /proc/%i/exe
- /proc/self/cmdline
- // Credentials grabber...
- %s/.opera/wand.dat // Opera
- %s/.purple/accounts.xml
- <protocol>
- %d%s
- <name>
- <password>
- %s/.config/google-chrome/Default/Login Data // Chrome
- %s/.config/chromium/Default/Login Data
- Path=firefox* // Mozilla
- thunderbird*
- libmozsqlite3.so
- select * from moz_logins
- %c%s
- %s/.mozilla/firefox/profiles.ini
- %s/.mozilla/firefox/%s
- %s/.thunderbird/profiles.ini
- %s/.thunderbird/%s
- %s/.mozilla/seamonkey/profiles.ini
- %s/.mozilla/seamonkey/%s
- // Noted: unauthorized access to sqlite to access mozilla database:
- libsqlite3.so
- libmozsqlite3.so
- %s/signons.sqlite
- sqlite3_open
- sqlite3_close
- sqlite3_prepare_v2
- sqlite3_step
- sqlite3_column_text
- // Autostart...
- %s/.config/autostart/%s.desktop
- /tmp/.%s
- -m %s
- %s/.config/autostart
- %s/%s.desktop
- [Desktop Entry]
- Type=Application
- Exec="%s"
- Hidden=false
- Name=%s
- ====================
- DEBUG
- ====================
- // Without Privilege
- [001a57a2] execve("./Host.out", ["./Host.out"], [/* 20 vars */]) = -1 EACCES (Permission denied)
- [001a57a2] dup(2) = 3
- [001a57a2] fcntl64(3, F_GETFL) = 0x8002 (flags O_RDWR|O_LARGEFILE)
- [001a57a2] fstat64(3, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 0), ...}) = 0
- [001a57a2] mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7fde000
- [001a57a2] _llseek(3, 0, 0xbff04ff0, SEEK_CUR) = -1 ESPIPE (Illegal seek)
- [001a57a2] write(3, "Ztrace: exec: Permission denied\n", 32Ztrace: exec: Permission denied
- ) = 32
- [001a57a2] close(3) = 0
- [001a57a2] munmap(0xb7fde000, 4096) = 0
- [001a57a2] exit_group(1) = ?
- // With privileges
- [001a57a2] execve("./Host.out", ["./Host.out"], [/* 20 vars */]) = 0
- [001b729d] uname({sys="Linux", node="YOUR.HOST.NAME", ...}) = 0
- [001b5e1b] brk(0) = 0x94d8000
- [001b6bb1] access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)
- [001b6a74] open("/etc/ld.so.cache", O_RDONLY) = 3
- [001b698b] fstat64(3, {st_mode=S_IFREG|0644, st_size=22317, ...}) = 0
- [001b71dd] old_mmap(NULL, 22317, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7fd2000
- [001b6aad] close(3) = 0
- [001b6a74] open("/lib/libdl.so.2", O_RDONLY) = 3
- [001b6af4] read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\260[1\0004\0\0\0"..., 512) = 512
- [001b698b] fstat64(3, {st_mode=S_IFREG|0755, st_size=16796, ...}) = 0
- [001b71dd] old_mmap(0x315000, 12388, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x315000
- [001b71dd] old_mmap(0x317000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1000) = 0x317000
- [001b6aad] close(3) = 0
- [001b6a74] open("/lib/tls/libpthread.so.0", O_RDONLY) = 3
- [001b6af4] read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0PH7\0004\0\0\0"..., 512) = 512
- [001b698b] fstat64(3, {st_mode=S_IFREG|0755, st_size=108040, ...}) = 0
- [001b71dd] old_mmap(0x370000, 70108, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x370000
- [001b71dd] old_mmap(0x37e000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0xd000) = 0x37e000
- [001b71dd] old_mmap(0x380000, 4572, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x380000
- [001b6aad] close(3) = 0
- [001b6a74] open("/lib/tls/libc.so.6", O_RDONLY) = 3
- [001b6af4] read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\340>\35\0004\0\0\0"..., 512) = 512
- [001b698b] fstat64(3, {st_mode=S_IFREG|0755, st_size=1547732, ...}) = 0
- [001b71dd] old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7fd1000
- [001b71dd] old_mmap(0x1bf000, 1240284, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x1bf000
- [001b71dd] old_mmap(0x2e8000, 16384, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x129000) = 0x2e8000
- [001b71dd] old_mmap(0x2ec000, 7388, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x2ec000
- [001b6aad] close(3) = 0
- [001b71dd] old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7fd0000
- [001b7264] mprotect(0x2e8000, 8192, PROT_READ) = 0
- [001b7264] mprotect(0x37e000, 4096, PROT_READ) = 0
- [001b7264] mprotect(0x317000, 4096, PROT_READ) = 0
- [001b7264] mprotect(0x8055000, 4096, PROT_READ) = 0
- [001b7264] mprotect(0x1bb000, 4096, PROT_READ) = 0
- [001a7820] set_thread_area({entry_number:-1 -> 6, base_addr:0xb7fd06c0, limit:1048575, seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1, seg_not_present:0, useable:1}) = 0
- [001b7221] munmap(0xb7fd2000, 22317) = 0
- [001a57a2] set_tid_address(0xb7fd0708) = 23661
- [001a57a2] rt_sigaction(SIGRTMIN, {0x374380, [], SA_RESTORER|SA_SIGINFO, 0x37ba90}, NULL, 8) = 0
- [001a57a2] rt_sigaction(SIGRT_1, {0x3743f0, [], SA_RESTORER|SA_RESTART|SA_SIGINFO, 0x37ba90}, NULL, 8) = 0
- [001a57a2] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0
- [001a57a2] getrlimit(RLIMIT_STACK, {rlim_cur=10240*1024, rlim_max=RLIM_INFINITY}) = 0
- [001a57a2] _sysctl({{CTL_KERN, KERN_VERSION}, 2, 0xbff2550c, 30, (nil), 0}) = 0
- [001a57a2] brk(0) = 0x94d8000
- [001a57a2] brk(0x94f9000) = 0x94f9000
- [001a57a2] readlink("/proc/23661/exe", "/YOUR.PATH.TO/Host.out", 4352) = 38
- [001a57a2] open("/tmp/.-", O_WRONLY|O_CREAT, 0666) = 3
- [001a57a2] fcntl64(3, F_SETLK, {type=F_WRLCK, whence=SEEK_SET, start=0, len=1}) = 0
- [001a57a2] open("/etc/resolv.conf", O_RDONLY) = 4
- [001a57a2] fstat64(4, {st_mode=S_IFREG|0644, st_size=156, ...}) = 0
- [001a57a2] mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7fd7000
- [001a57a2] read(4, "search YOUR.DOMAIN\nnameserver 202.2"..., 4096) = 156
- [001a57a2] read(4, "", 4096) = 0
- [001a57a2] close(4) = 0
- [001a57a2] munmap(0xb7fd7000, 4096) = 0
- [001a57a2] socket(PF_INET, SOCK_STREAM, IPPROTO_TCP) = 4
- [001a57a2] connect(4, {sa_family=AF_INET, sin_port=htons(3360), sin_addr=inet_addr("127.0.133.7")}, 16) = -1 ECONNREFUSED (Connection refused)
- [001a57a2] shutdown(4, 2 /* send and receive */) = -1 ENOTCONN (Transport endpoint is not connected)
- [001a57a2] close(4) = 0
- [001a57a2] nanosleep({8, 0}, NULL) = 0
- [001a57a2] socket(PF_INET, SOCK_STREAM, IPPROTO_TCP) = 4
- [001a57a2] connect(4, {sa_family=AF_INET, sin_port=htons(3360), sin_addr=inet_addr("127.0.133.7")}, 16) = -1 ECONNREFUSED (Connection refused)
- [001a57a2] shutdown(4, 2 /* send and receive */) = -1 ENOTCONN (Transport endpoint is not connected)
- [001a57a2] close(4) = 0
- [001a57a2] nanosleep({8, 0}, NULL) = 0
- [001a57a2] socket(PF_INET, SOCK_STREAM, IPPROTO_TCP) = 4
- [001a57a2] connect(4, {sa_family=AF_INET, sin_port=htons(3360), sin_addr=inet_addr("127.0.133.7")}, 16) = -1 ECONNREFUSED (Connection refused)
- [001a57a2] shutdown(4, 2 /* send and receive */) = -1 ENOTCONN (Transport endpoint is not connected)
- [001a57a2] close(4) = 0
- [001a57a2] nanosleep({8, 0},
- [...] // Daemonized..
- ===============
- PCAP
- ===============
- No established connection made.
- ----
- #MalwareMstDie!!
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement